[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Solaris 9 + Heimdal KDC?
Hi,
(This is a resend --- I didn't see it pop up on the list)
I have a heimdal KDC running on an openbsd box (the heimdal included in the base system), and I'm trying to connect a Solaris 9 system using PAM. I am using the latest patches from SunSolve even. I am using Sun's SSH.
I have set up a host keytab for the Solaris machine in the KDC, using only des-cbc-crc, as I couldn't kinit with the keytab unless I was only using that.
But when I try and use the kdc through PAM, things don't work. I get an error message that Sun's docs say mean I don't have a keytab (wtf?).
So, here is kadmin -l:
kadmin> get *test*
Principal: host/test.prod.gmi.com@GMI.COM
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 2
Mkvno: 0
Policy: none
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2005-02-11 21:17:12 UTC
Modifier: kadmin/admin@GMI.COM
Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt)
Here is kinit -k -t /etc/krb5.keytab:
bash-2.05# kinit -k -t /etc/krb5/krb5.keytab
bash-2.05# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/test.prod.gmi.com@GMI.COM
Valid starting Expires Service principal
Fri Feb 11 15:39:09 2005 Sat Feb 12 15:39:09 2005 krbtgt/GMI.COM@GMI.COM
renew until Fri Feb 18 15:39:09 2005
Here is kinit as a user (su - from root to user):
bash-2.05$ kinit adam
Password for adam@GMI.COM:
bash-2.05$ klist
Ticket cache: /tmp/krb5cc_1001
Default principal: adam@GMI.COM
Valid starting Expires Service principal
Fri Feb 11 15:42:26 2005 Sat Feb 12 15:42:26 2005 krbtgt/GMI.COM@GMI.COM
renew until Fri Feb 18 15:42:26 2005
So then I try to ssh (I have enabled pam_debug with /etc/pam_debug) from a remote host, and I get this in the pam logs:
Feb 11 13:33:59 test sshd[9824]: [ID 931636 auth.debug] PAM[9824]: load_function: successful load of pam_sm_authenticate
Feb 11 13:33:59 test sshd[9824]: [ID 279422 auth.debug] PAM[9824]: pam_get_user(cf990, 61746500, NULL)
Feb 11 13:33:59 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:33:59 test last message repeated 1 time
Feb 11 13:33:59 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:33:59 test last message repeated 1 time
Feb 11 13:33:59 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:34:04 test sshd[9824]: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:conv)
Feb 11 13:34:04 test sshd[9824]: [ID 218459 auth.debug] PAM[9824]: pam_authenticate(cf990, 1)
Feb 11 13:34:04 test sshd[9824]: [ID 794658 auth.debug] PAM[9824]: load_modules(cf990, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1
Feb 11 13:34:04 test sshd[9824]: [ID 279422 auth.debug] PAM[9824]: pam_get_user(cf990, ff00, NULL)
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:34:04 test last message repeated 1 time
Feb 11 13:34:04 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:34:04 test sshd[9824]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Feb 11 13:34:04 test sshd[9824]: [ID 213912 auth.debug] PAM[9824]: pam_authenticate(cf990, 1): error Authentication failed
Feb 11 13:34:04 test sshd[9824]: [ID 975326 auth.debug] PAM[9824]: pam_set_item(cf990:authtok)
Feb 11 13:34:04 test sshd[9824]: [ID 800047 auth.info] Failed password for adam from 10.1.1.110 port 36008 ssh2
Feb 11 13:34:06 test sshd[9824]: [ID 800047 auth.info] Connection closed by 10.1.1.110
Feb 11 13:34:06 test sshd[9824]: [ID 938422 auth.debug] PAM[9824]: pam_end(cf990): status = Success
the line, "PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found" is the one in Sun's docs that claims I don't have a keytab.
The space I put in the log is me hitting enter on that terminal when I see the password prompt, but before I enter the password and hit enter.
Here is what I see on the KDC:
2005-02-11 15:46:10.861750500 2005-02-11T15:46:10 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:46:10.862490500 2005-02-11T15:46:10 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:46:10.862492500 2005-02-11T15:46:10 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:46:10.862494500 2005-02-11T15:46:10 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:46:10.862495500 2005-02-11T15:46:10 Requested flags: renewable, forwardable
2005-02-11 15:46:10.862496500 2005-02-11T15:46:10 Requested flags: renewable, forwardable
2005-02-11 15:46:10.862498500 2005-02-11T15:46:10 sending 548 bytes to IPv4:10.1.1.125
2005-02-11 15:46:10.862508500 2005-02-11T15:46:10 sending 548 bytes to IPv4:10.1.1.125
Now I notice that des-cbc-md5 is listed there. I'm kind of wondering what is up with that, but I see the same logs (below) when I kinit as a user:
2005-02-11 15:48:03.285116500 2005-02-11T15:48:03 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:48:03.285855500 2005-02-11T15:48:03 AS-REQ adam@GMI.COM from IPv4:10.1.1.125 for krbtgt/GMI.COM@GMI.COM
2005-02-11 15:48:03.285857500 2005-02-11T15:48:03 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:48:03.285859500 2005-02-11T15:48:03 Using des-cbc-md5/des-cbc-md5
2005-02-11 15:48:03.285860500 2005-02-11T15:48:03 Requested flags: renewable, forwardable
2005-02-11 15:48:03.285862500 2005-02-11T15:48:03 Requested flags: renewable, forwardable
2005-02-11 15:48:03.285863500 2005-02-11T15:48:03 sending 548 bytes to IPv4:10.1.1.125
2005-02-11 15:48:03.285872500 2005-02-11T15:48:03 sending 548 bytes to IPv4:10.1.1.125
So it doesn't seem too "off." The clocks are synced.
Here is /etc/pam.conf (I grep -v "^#" /etc/pam.conf for brevity):
bash-2.05# grep -v "^#" /etc/pam.conf
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_auth.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_krb5.so.1 use_first_pass
passwd auth required pam_passwd_auth.so.1
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other account optional pam_krb5.so.1
other session optional pam_krb5.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
So. . .I am no PAM wizard (I've tried simply uncommenting Sun's krb5 lines, and copying the pam.conf from http://www.ofb.net/~jheiss/krbldap/files/pam.conf-9), but where should I look to fix this problem? Or is it that Sun's SSH/PAM just doesn't work too great with Heimdal?
Oh, and here is /etc/krb5/krb5.conf:
bash-2.05# grep -v "^#" /etc/krb5/krb5.conf
[libdefaults]
default_realm = GMI.COM
[realms]
GMI.COM = {
kdc = krb0.prod.gmi.com
#kdc = krb1.prod.gmi.com
admin_server = krb0.prod.gmi.com
}
[domain_realm]
.gmi.com = GMI.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Any ideas? Thanks a bunch!
--
adam